hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-12 20:43:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

suggest roles instead of admin_users

Browse Source 
and make admin link permission check match admin page

it would be nice if this could be consolidated (maybe an `admin:ui` permission?)
This commit is contained in:
Min RK
2021-09-16 11:55:20 +02:00
parent 12ab53fb37
commit 5f19989467
8 changed files with 37 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/source/getting-started/authenticators-users-basics.md
View File

@@ -18,6 +18,13 @@ started.
## Configure admins (`admin_users`) ## Configure admins (`admin_users`)
```{note}
As of JupyterHub 2.0, the full permissions of `admin_users`
should not be required.
Instead, you can assign [roles][] to users or groups
with only the scopes they require.
```
Admin users of JupyterHub, `admin_users`, can add and remove users from Admin users of JupyterHub, `admin_users`, can add and remove users from
the user `allowed_users` set. `admin_users` can take actions on other users' the user `allowed_users` set. `admin_users` can take actions on other users'
behalf, such as stopping and restarting their servers. behalf, such as stopping and restarting their servers.

2
docs/source/rbac/roles.md
View File

@@ -1,3 +1,5 @@
(roles)=
# Roles # Roles
JupyterHub provides four roles that are available by default: JupyterHub provides four roles that are available by default:

17
examples/postgres/hub/jupyterhub_config.py
View File

@@ -2,10 +2,23 @@
c = get_config() # noqa c = get_config() # noqa
# Add some users. # Add some users
c.JupyterHub.admin_users = {'rhea'}
c.Authenticator.allowed_users = {'ganymede', 'io', 'rhea'} c.Authenticator.allowed_users = {'ganymede', 'io', 'rhea'}
c.JupyterHub.load_roles = [
{
"name": "user-admin",
"scopes": [
"admin:groups",
"admin:users",
"admin:servers",
],
"users": [
"rhea",
],
}
]
# These environment variables are automatically supplied by the linked postgres # These environment variables are automatically supplied by the linked postgres
# container. # container.
import os import os

6
jupyterhub/app.py
View File

@@ -1866,12 +1866,6 @@ class JupyterHub(Application):
if not self.authenticator.validate_username(username): if not self.authenticator.validate_username(username):
raise ValueError("username %r is not valid" % username) raise ValueError("username %r is not valid" % username)
if not admin_users:
self.log.warning("No admin users, admin interface will be unavailable.")
self.log.warning(
"Add any administrative users to `c.Authenticator.admin_users` in config."
)
new_users = [] new_users = []
for name in admin_users: for name in admin_users:

8
jupyterhub/auth.py
View File

@@ -88,6 +88,10 @@ class Authenticator(LoggingConfigurable):
help=""" help="""
Set of users that will have admin rights on this JupyterHub. Set of users that will have admin rights on this JupyterHub.
Note: As of JupyterHub 2.0,
full admin rights should not be required,
and more precise permissions can be managed via roles.
Admin users have extra privileges: Admin users have extra privileges:
- Use the admin panel to see list of users logged in - Use the admin panel to see list of users logged in
- Add / remove users in some authenticators - Add / remove users in some authenticators
@@ -987,6 +991,10 @@ class PAMAuthenticator(LocalAuthenticator):
Users not in these groups can still be granted admin status through admin_users. Users not in these groups can still be granted admin status through admin_users.
allowed/blocked rules still apply. allowed/blocked rules still apply.
Note: As of JupyterHub 2.0,
full admin rights should not be required,
and more precise permissions can be managed via roles.
""" """
).tag(config=True) ).tag(config=True)

2
jupyterhub/handlers/base.py
View File

@@ -1239,6 +1239,8 @@ class BaseHandler(RequestHandler):
static_url=self.static_url, static_url=self.static_url,
version_hash=self.version_hash, version_hash=self.version_hash,
services=self.get_accessible_services(user), services=self.get_accessible_services(user),
parsed_scopes=self.parsed_scopes,
expanded_scopes=self.expanded_scopes,
) )
if self.settings['template_vars']: if self.settings['template_vars']:
ns.update(self.settings['template_vars']) ns.update(self.settings['template_vars'])

3
jupyterhub/handlers/pages.py
View File

@@ -450,7 +450,8 @@ class AdminHandler(BaseHandler):
"""Render the admin page.""" """Render the admin page."""
@web.authenticated @web.authenticated
@needs_scope('users') # stacked decorators: all scopes must be present # stacked decorators: all scopes must be present
# note: keep in sync with admin link condition in page.html
@needs_scope('admin:users') @needs_scope('admin:users')
@needs_scope('admin:servers') @needs_scope('admin:servers')
async def get(self): async def get(self):

2
share/jupyterhub/templates/page.html
View File

@@ -122,7 +122,7 @@
{% block nav_bar_left_items %} {% block nav_bar_left_items %}
<li><a href="{{base_url}}home">Home</a></li> <li><a href="{{base_url}}home">Home</a></li>
<li><a href="{{base_url}}token">Token</a></li> <li><a href="{{base_url}}token">Token</a></li>
{% if user.admin %} {% if 'admin:users' in parsed_scopes and 'admin:servers' in parsed_scopes %}
<li><a href="{{base_url}}admin">Admin</a></li> <li><a href="{{base_url}}admin">Admin</a></li>
{% endif %} {% endif %}
{% if services %} {% if services %}